Let me start off by saing that this little thing is bugging me since forever.
So: we have a FreeBSD 7-1-STABLE box and a Linksys wrt54gl v1.1 with DD-WRT v24 (05/24/08) vpn.

Now.... on the router (services->services) I activated the "System Log" option and assigned my BSD box's IP (192.168.0.2). The router is 192.168.0.1. In Security->Firewall, the firewall is enabled and the "Log Management" also with "Log Level" set to "High" and all three options (Dropped, Rejected, Accepted) set to "High".

On the BSD box
rc.conf has

Code:

syslogd_enable="YES"
syslogd_flags="-d -a 192.168.0.1 -vv"

and /etc/syslogd.conf has

Code:

+192.168.0.1
*.* /var/log/router.log

but, when I restart the syslogd daemon (/etc/rc.d/syslogd restart) having debbug mode enabled I see:

Now, I have pf enabled; so I disable it. Nothing. No lines get echo'd to router.log nor does the error go away. So I try to redirect port 2052 to 514 with no effect. I'm guessing here... so the router is sending the logs to? 2052? Now that would be weird. So I do a tcp dump and I find this

the solaris box is 192.168.0.6. did the "+solaris" to freebsd's syslogd.conf and added "192.168.0.6 solaris" to freebsd's /etc/hosts. all this just to get that error I posted previously. so, i'm kinda sure it's a miscnfiguration of the bsd box. will look into it more.

btw I see syslogd appends a ".ro" to the hostname it prints out. instead of solaris it's solaris.ro; same with router (it's replaced with router.ro). at this point it's strainge, but i admit i know not much of this so maybe i'm wrong.

le: solaris's syslogd has "user.err @loghost" and "loghost" is 192.168.0.2 in solaris's /etc/hosts.

Did you create the /var/log/router.log file?
Syslogd only logs to an existing file, it does not create this file unless you use the -C option.

yup, file was created way before changes were made. lucky man command

Quote:

According to syslogd(8) your -a 192.168.0.1 option actually is -a 192.168.0.1/16:514. Is that /16 netmask correct for your setup?

actually /24 (255.255.255.0) is corect for my netmask but this doesn't works. I see that no matter what /16, /24 or /32 I use the results are the same; logging does not works, and I keep getting that "port mismatch" error. this only applies if i use :514. if i use :* all is ok no matter of the netmask

Quote:

RE: tcpdump
You can use the -n flag to disable name lookups, and the -s0 to see the complete data. -vv also helps

I like poking my eyes at everithing and then eliminating the bad and using the good; but thx for the head's up

So..recap:

if i use in rc.conf of my bsd box -d -a 192.168.0.1/whatever:* -vv (tried /16 /24 /32 result are the same) logging works but logges to /var/log/messages and "port mismach error" is replaced by a very nice looking, I might add, output of

le: one of my mistakes was that i read the wrong manual for syslogd. dunno why i used google to search for the manual and ended up with a faulty one that did not have the /:* mentioned at all. I mean, I dunno why I didn't used freebsd's manual (command line or web)

# $FreeBSD: src/etc/syslog.conf,v 1.28.18.1 2008/11/25 02:59:29 kensmith Exp $
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
*.=debug /var/log/debug.log
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!startslip
*.* /var/log/slip.log
!ppp
*.* /var/log/ppp.log
+192.168.0.1
*.* /var/log/router.log
+*

le2: hmm, here's a thing I noticed. The line in syslogd.conf that tells the daemon what to log into messages has a "kern.debug" option to it. Makes sense now why it logs to messages; the bsd box considers the actual line logs comming from the kernel of the router. Darn I wish I could specify a "quick" option

ok, sorted the problem....well, half of it anyway. So in fact syslog acts something like pf but in reverse. The first rule wins (but unfortunatelly so does the second I see). I moved the

Code:

+192.168.0.1
*.* /var/log/router.log
+*

lines at the very top of the file and now it logs to the router.log file. Unfortunatelly it also logs to messages. A workaround would be to remove the "kernel.debug" option from the /var/log/messages line in syslogd.conf, but afterwards it would come back at me and bite me in the ......excuse me....... as no more kernel errors would be logged.

Now, removing the first option "*.notice" from the file on my bsd box and restarting the syslogd daemon actually helps a lot (system stops double-logging), but also comes with a problem. Whille in fact removing that option makes syslogd log to "router.log" file, it does not log any notices of the system to "messages" file. Now, to be honnest, I can't really tell wich option logs what, from where, and other stuff, because I simply do not know, so until now, removing that option seems to fix the problem, but will need some time to read some things in order to get my head straight and see in fact what is it that I have actually removed.